What is GDPR and Should You Care? - Ingram Microsecurity.ingrammicro.com/.../What-is-GDPR-and-Should-you-Care.pdf · What is GDPR and Should You Care? 1405002 rev 6.27.14 Proprietary

Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.© Ingram Micro Inc.1

What is GDPR and Should You Care?

1405002 rev 6.27.14

Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.2

Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 2

Overview of Privacy Climate &

Concerns

1405002 rev 6.27.14


Today We Live In A World Where…

Advertisers “read” key words in your Facebook posts and emails and

decide what you might want to buy.

You can probably “find” a photo of your 70 year old mother on Google.

Your mobile phone “tracks” and “shares” your location with all kinds

of companies and service providers

You can download an album from Aghani apps and discover you’ve

been “subscribed” to artist’s fan page on Facebook without knowing it.

The first thing you do when you get in details of a job candidates is

“search” social media to find out more about them.

https://www.google.ae/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi67YO07fPTAhXCPiYKHai7B9EQjRwIBw&url=https://material.uplabs.com/posts/google-now-launcher-android-icon&psig=AFQjCNG_oUvU8-frqvh8QxSYNIfdzXgUZQ&ust=1495004896743655

https://www.google.ae/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi67YO07fPTAhXCPiYKHai7B9EQjRwIBw&url=https://material.uplabs.com/posts/google-now-launcher-android-icon&psig=AFQjCNG_oUvU8-frqvh8QxSYNIfdzXgUZQ&ust=1495004896743655

1405002 rev 6.27.14


Why Do We Need Regulation?

1405002 rev 6.27.14


Current Privacy Climate World Wide

• Snowden Leaks effects:

Safe harbor invalidated by European Court of Justice.

Tech companies got serious about privacy.

• Privacy has become an ever-increasing ethical and legal issue a

global issue worldwide

New Privacy laws in Japan, Brazil, Turkey etc.

New Data Protection Legislation in Europe.

• Increased privacy awareness amongst customers and consumers.

• Litigations for privacy matters are growing.

1405002 rev 6.27.14



What is GDPR?

1405002 rev 6.27.14


What is the GDPR?

Stands for General Data Protection

Regulation. A Privacy law that applies

to personal data of EU residents

Personal Data i.e. any information

relating to an individual whether they

can be identified directly or indirectly

Ensures individuals can control how information

about them is used. Also ensures those holding

the information protects it from disclosure

Applies globally to any organization holding or processing EU residents’ information.

Sever penalties and financial fines

for non-compliance.

25th May 2018

(Around 12 months to be ready)

What? Scope?

Non-compliance?

When?Objective?

GDPR

Main focus?

1405002 rev 6.27.14


Data controller

A person or body which determines the purposes

and means of processing personal data.

Data processor

An entity which processes the data on behalf of the

data controller.

Personal data

Any information relating to an identified/identifiable,

natural person.

Process

Any operation(s) which is performed on personal

data whether or not by automated means.

DPO

Data Protection Officer. Hiring a DPO is obligatory

under the GDPR in some cases.

Data Subject

A natural person, who can be identified, or is

identifiable, directly or indirectly.

Transfer

The transfer of personal data to countries outside

the European Union Area (EEA) or to international

organizations.

Key GDPR Terms

Supervisory Authority

Supervisory authorities are national data protection

authorities, empowered to enforce the GDPR in

their own member state.

1405002 rev 6.27.14


GDPR Principles – Seven Data Protection Principles

• Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Lawfulness, Fairness & Transparency

• Personal Data must be collected for specified explicit and legitimate purposes.Purpose Limitation

• Personal Data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed.Data Minimisation

• Personal Data must be accurate and, where necessary, kept up to date.Accuracy

• Personal Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.Storage Limitation

• Appropriate technical and/or organizational measures have to be in place to ensure protection against unauthorized processing, accidental loss, destruction, and/or damage.

Integrity & Confidentiality

• The controller shall be responsible for and be able to demonstrate compliance with these principles.Accountability

1405002 rev 6.27.14


What Does It Mean To Organizations?

• Obtain a clear consent.

• Obtain parents consent if data subject is under 16.

• Provide a copy of individual’s Personal data on request.

• Erase all Personal records if Requested.

• Provide Adequate Security.

• Privacy Impact Assessment.

• One Supervisory Authority to deal with.

• Can select their preferred Supervisory Authority.

1405002 rev 6.27.14


What Does It Mean To Individuals?

• The Right to be informed.

• The Right of Access.

• The Right to Rectification.

• The Right to Erasure.

• The Right to Restrict Processing.

• The Right to Data Portability.

• The Right to Object.

• Rights in Relation to Automated Decision Making and Profiling.

1405002 rev 6.27.14


Mandatory Breach Notification

• If Personal Data Breach is

“Likely to result in a risk to the rights and freedoms of

individuals”

• Notify the Supervisory Authority within 72 Hours of

becoming aware of the breach.

• If high risk breach likely to affect rights and freedom of

individual.

“You must notify those concerned directly.”

“Having strong Incident Management Capabilities is extremely important”

1405002 rev 6.27.14


Sanctions/Fines

• Administrative Fines – two sets:

• Violation of GDPR provisions

Up to E20,000,000 or 4% of annual global turnover – Which

ever is greater.

• Failing to notify a Data Security Breach

Up to €10,000,000 or 2% of annual global turnover.

• An Individual can:

• Complain to Supervisory Authority.

• Right to Compensation.

1405002 rev 6.27.14



Getting Ready for GDPR

1405002 rev 6.27.14


Steps To Take

Identify Key Data Assets.

Conduct Risk Assessment.

Establish Policies.

Use Existing Framework (ISO27k, NIST etc.).

Monitor and Respond.

Conduct Awareness Training.

1405002 rev 6.27.14



How Can Ingram Micro Help

You Comply?

1405002 rev 6.27.14


Ingram Micro Cyber Security Portfolio

Services

Basic Technical Assessment

Consultancy Service

Managed Security Service

Trainings

General Training

Certification Training

Specialized Training

Vendors

https://www.google.ae/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwifvLrEqJzTAhVH3IMKHXjTC5oQjRwIBw&url=https://dwglogo.com/cisco-systems-logo/&bvm=bv.152180690,d.amc&psig=AFQjCNG1riu8fGSnu6SmpL-hvQYALI1FMw&ust=1491997116582473

https://www.google.ae/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwifvLrEqJzTAhVH3IMKHXjTC5oQjRwIBw&url=https://dwglogo.com/cisco-systems-logo/&bvm=bv.152180690,d.amc&psig=AFQjCNG1riu8fGSnu6SmpL-hvQYALI1FMw&ust=1491997116582473

1405002 rev 6.27.14


Constancy Services – Brief Description

Consultancy

Services

Cyber Security

Governance

Policies &

Procedures

review

Risk

Assessment

Access

Control

Review

Compliance

Assessment

Incident

management

Physical

Security

Assessment

Security

Operations

review

Review the design and effectiveness of

established security policies and

procedures

Identify risks and propose mitigation

measures

Assess controls of access provisioning, access

removal, privilege assignment, and access

monitoring

Assess incident response capabilities

including prevention, detection, and

recovery.

Assess Change management, patch

management, malware protection, and

network security management processes

Assess physical and environmental

controls at data processing facilities

Organization of information security, Security strategy,

structure, and roles and responsibilities

Assess compliance against local and international security

standards and regulations

1405002 rev 6.27.14


Trainings & Certifications

Laws and regulationsOperationsTechnology

Those responsible for:

• Legal

• Compliance

• Information management

• Data governance

• Human Resources


• Information technology

• Information security

• Software engineering

• Privacy by Design


• Risk management

• Privacy operations

• Accountability

• Audit

• Privacy analytics

Audience

Domain

Credential

1405002 rev 6.27.14


Tools To Help You Achieve Compliance

Control Compliance Suite ControlPoint IBM Regulatory Compliance

Analytics

Delivers business-aware

security and risk visibility so

that customers are effectively

able to align priorities across

security, IT operations, and

compliance

Helps you achieve information

compliance by making it

possible to understand,

classify, and reduce outdated

and unnecessary legacy dark

data content.

Streamlines the identification of

potential obligations in regulations,

reduces time and costs of

compliance, and enables sustainable

management of controls through an

effortless dashboard

Documents

What is GDPR and Should You Care? - Ingram Microsecurity.ingrammicro.com/.../What-is-GDPR-and-Should-you-Care.pdf · What is GDPR and Should You Care? 1405002 rev 6.27.14 Proprietary